diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index 3876dc0e2cd..4d79b87122e 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -184,7 +184,7 @@ function dol_loginfunction($langs,$conf,$mysoc) // Set cookie for timeout management $prefix=dol_getprefix(); $sessiontimeout='DOLSESSTIMEOUT_'.$prefix; - if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", '', 0); + if (! empty($conf->global->MAIN_SESSION_TIMEOUT)) setcookie($sessiontimeout, $conf->global->MAIN_SESSION_TIMEOUT, 0, "/", null, false, true); if (GETPOST('urlfrom','alpha')) $_SESSION["urlfrom"]=GETPOST('urlfrom','alpha'); else unset($_SESSION["urlfrom"]); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 675c82aa499..27168349f22 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -179,7 +179,9 @@ if (! empty($_SERVER['DOCUMENT_ROOT']) && substr($_SERVER['DOCUMENT_ROOT'], -6) // Include the conf.php and functions.lib.php require_once 'filefunc.inc.php'; -// If there is a POST parameter to tell to save automatically some POST parameters into cookies, we do it +// If there is a POST parameter to tell to save automatically some POST parameters into cookies, we do it. +// This is used for example by form of boxes to save personalization of some options. +// DOL_AUTOSET_COOKIE=cookiename:val1,val2 and cookiename_val1=aaa cookiename_val2=bbb will set cookie_name with value json_encode(array('val1'=> , )) if (! empty($_POST["DOL_AUTOSET_COOKIE"])) { $tmpautoset=explode(':',$_POST["DOL_AUTOSET_COOKIE"],2); @@ -194,7 +196,7 @@ if (! empty($_POST["DOL_AUTOSET_COOKIE"])) $cookiename=$tmpautoset[0]; $cookievalue=json_encode($cookiearrayvalue); //var_dump('setcookie cookiename='.$cookiename.' cookievalue='.$cookievalue); - setcookie($cookiename, empty($cookievalue)?'':$cookievalue, empty($cookievalue)?0:(time()+(86400*354)), '/'); // keep cookie 1 year + setcookie($cookiename, empty($cookievalue)?'':$cookievalue, empty($cookievalue)?0:(time()+(86400*354)), '/', null, false, true); // keep cookie 1 year and add tag httponly if (empty($cookievalue)) unset($_COOKIE[$cookiename]); } @@ -204,7 +206,7 @@ $sessionname='DOLSESSID_'.$prefix; $sessiontimeout='DOLSESSTIMEOUT_'.$prefix; if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]); session_name($sessionname); -session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie +session_set_cookie_params(0, '/', null, false, true); // Add tag httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start. // This create lock released until session_write_close() or end of page. // We need this lock as long as we read/write $_SESSION ['vars']. We can close released when finished. if (! defined('NOSESSION'))